Drafting an Effective HIPAA Breach Report

HIPAA breaches happen.  So long as humans are involved in handling protected health information (PHI), there will be mistakes that result in a breach (and, of course, this does not include hacking incidents or bad actor breaches).  Common breach examples include faxing or emailing patient information to the wrong recipient or including information about one patient in a mailing to another patient.  These things happen.

For compliance purposes, the response to a breach is key.  Providers that respond swiftly, implement corrective measures and timely notify affected patients and file a thorough breach report with the Department of Health and Human Services (DHHS) are far more likely to avoid scrutiny.  And what you say in the breach report matters.  Breach reports that raise questions or concerns will prompt further inquiry. 

The first announced enforcement action resolution this year made this point clear.  In 2013, a small Utah gastroenterologist filed a “breach” report with DHHS stating that its electronic health record (EHR) vendor blocked the provider’s access to electronic patient records until the provider paid a fee of $50,000.  The provider’s plan to use the government to gain leverage in a contract dispute backfired.  Likely intrigued by the “breach” report, DHHS’s Office for Civil Rights (OCR) initiated an investigation and discovered that the provider failed to complete an accurate and thorough risk analysis, failed to implement measures to appropriately reduce risks and vulnerabilities and failed to have an adequate business associate agreement with the EHR vendor.  The provider paid $100,000 to settle the matter.

The contents of the breach report matter.  Here are five important considerations for drafting an effective breach report:

1.   Draft the breach report soon after completing the investigation.   While breaches involving fewer than 500 patients do not need to be reported to DHHS until 60 days after the end of the calendar year, it is best to craft the narrative portions of the report while the details of the incident are fresh in your mind. 

2.   Use the Reporting Form Template.  The breach report has many elements and must be filed electronically.  It is useful to print the reporting form template on DHHS’s website to use as a guide in preparing to file the report.  The report requires the following information: (a) number of individuals affected by the breach; (b) breach start and end date; (c) type of breach; (d) location of the breach; (e) type of PHI involved; (f) brief description of the breach; (g) safeguards in place prior to breach; (h) notice of breach; and (i) actions taken in response.  While all elements are important, the three discussed below are vital.

3.   Craft an Effective Description of the Incident.   The brief description section is the sole narrative-only component of the report and it provides a critically important opportunity for you to demonstrate that your organization knows how to handle a breach.  The relevant facts derived from the investigation should drive the narrative.  Avoid commentary and judgmental statements.  Be clear on the timeline and the results of the investigation.  Finally, note the steps taken to mitigate risk and to ensure that a similar event will not occur in the future.  The description should leave no unanswered questions and should convince DHHS that your organization understands its obligations under HIPAA and that there is no need for it to get involved.

4.   Accurately Note the Safeguards in Place.  After the brief description section, the on-line form presents a list of five possible safeguards in place prior to the breach.  Those options are:  (i) None; (ii) Privacy Rule Safeguards (training, policies and procedures etc.); (iii) Security Rule Administrative Safeguards (risk analysis, risk management, etc.); (iv) Security Rule Physical Safeguards (facility access controls, workstation security, etc.); and (v) Security Rule Technical Safeguards (access controls, transmission security, etc.).  For obvious reasons, selecting “None” will raise a red flag.  Check all that apply.  If you have a comprehensive HIPAA compliance program, then you should be able to check all the Privacy and Security Rule boxes.

5.   Detail the Actions Taken in Response.  The final section on the form provides a list of 14 post-breach actions including revised policies and procedures, trained staff, and implemented new technical safeguards. The 15th option is “other” and provides the opportunity to describe the “other” actions taken.  It is best to check all those in the list that apply.  Additionally, because none of the options in the list will comprehensively describe the steps you’ve taken, also check “other.”  Then use the narrative opportunity to provide details about the steps taken.  This is important even if you mentioned those steps in the brief description.  As with the brief description, the goal is to reassure DHHS that your organization handles breaches appropriately and understands the importance mitigation and prevention efforts.       

Take the time to describe your breach response efforts in the report.  Avoiding further inquiry or an investigation is the goal.  Once an investigation is underway, OCR can and will turn over many rocks and it almost always finds something, even things unrelated to the reported breach.